Virtualization-based malware analysis sandboxes have become one of the mainstream methods to inspect malicious behavior before an unknown object, such as an application, is allowed to continue to be processed on a computing device. The reason is that virtualization presents capabilities such as invisible memory monitoring and disk input/output (IO) virtualization. However, advanced malware that uses evasion techniques can detect that it is within a virtualization-based sandbox system and, in response, hide or modify its intended malicious behavior.
Some systems use native environments to prevent virtualization-aware malware from modifying its behavior and avoiding detection. However, these native approaches suffer from other issues, such as loss of detection capabilities, derived from the fact that the native system does not run a hypervisor. Further, these systems typically have significant complexity and delays attributable to disk image management and system restoration operations. In a native system, monitoring the behavior of an application to detect malware relies on setting hooks in the code of the application. This typically requires recompilation of the code and advanced malware is able to detect the hooks added to the application. In response, the malware may adjust its behavior to avoid detection.